What is claimed is: 



CLAIMS 



1 . A method of secure session management and authentication between a web site and a web 
client, said web site having secure and non-secure web pages, said method comprising the steps of: 

a) utilizing a non-secure communication protocol and a session cookie when said web 
client requests access to said non-secure web pages; and 

b) utilizing a secure communication protocol and an authcode cookie when said web 
client requests access to said secure web pages. 

2. The method of claim 1 , wherein said method also comprises the steps of: 

c) requesting said session cookie from said web client when said web client requests 
access to said non-secure web pages and verifying said requested session cookie; and 

d) requesting said authcode cookie from said web client when said web client requests 
access to said secure web pages and verifying said requested authcode cookie. 

3. The method of claim 2, wherein said method also comprises alternating between said secure 
communication protocol and said non-secure communication protocol when said web client 
alternates requests for access to said secure web pages and said non-secure web pages. 

4. The method of claim 3, wherein said alternating between said secure communication protocol 
and said non-secure communication protocol is facilitated by a table which keeps track of said non- 
secure web pages and said secure web pages. 

5. The method of claim 4, wherein said web site uses said table to direct said web client to use 
said secure communication protocol or said non-secure communication protocol depending on 
whether said web client requests access to said non-secure web pages or said secure web pages. 

6. The method of claim 3, wherein said method also comprises allowing said web client to be 
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a guest client or a registered client. 



7. The method of claim 6, wherein said method also comprises creating stored information 
including data contained in said session cookie, data contained in said authcode cookie and data 
about said web client. 

8. The method of claim 7, wherein said session cookie includes a pointer and an encrypted 
portion, said pointer pointing to said stored information, said encrypted portion having a random 
portion and a date portion. 

9. The method of claim 7, wherein said authcode cookie includes an encrypted portion, said 
encrypted portion having a random portion and a date portion. 

1 0. The method of claim 8, wherein verifying said requested session cookie from said web client 
includes using said stored information to generate a second session cookie and comparing said 
second session cookie to said session cookie requested from said web client. 

11. The method of claim 9, wherein verifying said requested authcode cookie from said web 
client includes using said stored information to generate a second authcode cookie and comparing 
said second authcode cookie to said authcode cookie requested from said web client. 

12. A system, for secure session management and authentication between a web site and a web 
client, said system comprising a web server, a web client and a communication channel, said web 
server coupled to said web client via said communication channel, said web server having a web site, 
said web site including: 

a) secure and non-secure web pages; 

b) a non-secure communication protocol and a session cookie for allowing said web 
client access to said non-secure web pages; and 

c) a secure communication protocol and an authcode cookie for allowing said web 
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client access to said secure web pages. 



13. The system of claim 12, wherein said web site also includes: 

d) verification means for verifying said session cookie when said session cookie is 
requested from said web client; and 

e) verification means for verifying said authcode cookie when said authcode cookie 
is requested from said web client. 



14. The system of claim 13, wherein said web server further comprises a security alternating 
means for alternating between said secure communication protocol and said non-secure 
communication protocol. 

15. The system of claim 14, wherein said web server further comprises a table to keep track of 
said non-secure web pages and said secure web pages. 

16. The system of claim 1 3, wherein said web site includes access means to allow said web client 
to access said web site as a guest client or a registered client. 

17. The system of claim 1 6, wherein said web system has storage means for containing stored 
information about said web client, data contained in said session cookie and data contained in said 
authcode cookie. 



18. The system of claim 17, wherein said session cookie includes a pointer and an encrypted 
portion, said pointer pointing to said stored information, said encrypted portion having a random 
portion and a date portion. 

19. The system of claim 1 7, wherein said authcode cookie includes an encrypted portion, said 
encrypted portion having a random portion and a date portion. 
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1 20. A computer program embodied on a computer readable medium, said computer program 

2 providing for secure session management and authentication between a web site and a web client, 

3 said web site having secure and non-secure web pages, said computer program adapted to: 

4 a) use a non-secure communication protocol and a session cookie when said web 

5 client requests access to said non-secure web pages; and 

6 b) use a secure communication protocol and an authcode cookie when said web client 

7 requests access to said secure web pages. 

1 21. The computer program of claim 20, wherein said computer program is further adapted to: 

2 c) request said session cookie from said web client when said web client requests 

3 access to said non-secure web pages and to verify said requested session cookie; and 

4 d) request said authcode cookie from said web client when said web client requests 

: 5 access to said secure web pages and to verify said requested authcode cookie. 

: y 

:| 22. The computer program of claim 21, wherein said computer program is further adapted to 

3 alternate between said secure communication protocol and said non-secure communication protocol 

3 when said web client alternates requests for access to said secure web pages and said non-secure web 

; 4 pages. 

;| 23. The computer program of claim 22, wherein said alternating between said secure 

2 communication protocol and said non-secure communication protocol is facilitated by a table which 

3 keeps track of said non-secure web pages and said secure web pages. 

1 24. The computer program of claim 23, wherein said computer program uses said table to direct 

2 said web client to use said secure communication protocol or said non-secure communication 

3 protocol depending on whether said web client requests access to said non-secure web pages or said 

4 secure web pages. 



1 



25. The computer program of claim 22, wherein said computer program is adapted to allow said 
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web client to be a guest client or a registered client. 



26. The computer program of claim 25, wherein said computer program is adapted to create 
stored information including data contained in said session cookie, data contained in said authcode 
cookie and data about said web client. 

27. The computer program of claim 26, wherein said session cookie includes a pointer and an 
encrypted portion, said pointer pointing to said stored information, said encrypted portion having 
a random portion and a date portion. 

28. The computer program of claim 26, wherein said authcode cookie includes an encrypted 
portion, said encrypted portion having a random portion and a date portion. 

29. The computer program of claim 27, wherein verifying said requested session cookie from 
said web client includes using said stored information to generate a second session cookie and 
comparing said second session cookie to said session cookie requested from said web client. 

30. The computer program of claim 28, wherein verifying said requested authcode cookie from 
said web client includes using said stored information to generate a second authcode cookie and 
comparing said second authcode cookie to said authcode cookie requested from said web client. 

31. A computer program for creating a NAME attribute in a session cookie, said computer 
program comprising the steps of: 

a) generating a userjd; 

b) generating a session_string; 

c) generating a session timestamp; 

d) appending said sessionjimestamp to said session_string to create an intermediate 
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7 value; 

8 e) applying a one way hash function to said intermediate value to create a final value; 

9 and 

1 0 f) storing said final value in said NAME attribute. 

1 32. The computer program of claim 31, wherein creating a PATH attribute, an EXPIRES 

2 attribute, a DOMAIN attribute and a SECURE attribute in said session cookie comprises the steps 

3 of: 

4 a) storing a slash (6/6) in said PATH attribute; 

5 b) storing a null string (66) in said EXPIRES attribute; 

6 c) storing a null string (66) in said DOMAIN attribute; and 
2 d) storing a null string (66) in said SECURE attribute. 

2 33. A computer program for creating a NAME attribute in an authcode cookie, said computer 

:j| program comprising the steps of: 

!3 a) generating an authcode; 

■Mi 

, 4 b) generating an authcode_timestamp; 

'J c) appending said authcodejimestamp to said authcode to create an intermediate 

€ value; 

S d) applying a one way hash function to said intermediate value to create a final value; 

t and 

9 e) storing said final value in said NAME attribute. 
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34. The computer program of claim 33, wherein creating a PATH attribute, an EXPIRES 
attribute, a DOMAIN attribute and a SECURE attribute in said authcode cookie comprises the steps 
of: 

a) storing a slash (6/6) in said PATH attribute; 

b) storing a null string (66) in said EXPIRES attribute; 

c) storing a null string (66) in said DOMAIN attribute; and 

d) storing the string OsecureO in said SECURE attribute. 
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